Posts Tagged ‘VA security breach’

Scheduling On Unsecure Calendar Violates VA Security Policies

Wednesday, January 5th, 2011

The Department of Veterans Affairs’ (VA) security policies have once again been violated, putting patients and their personal information at risk. This time, however, it wasn’t a stolen laptop or an unsecured jump drive violating the VA’s security protocols. According to the VA’s monthly congressional report, several doctors at some of Chicago VA’s medical centers were using an unsecured Yahoo! calendar application to schedule patients’ appointments. The publication of the confidential medical information affected approximately 900 patients and is in direct violation of the VA’s rule forbidding patient information being stored outside the VA’s firewalls.

The information stored on the unsecured, online calendar included:

  • Social security numbers;
  • Full names;
  • Types of surgery;
  • Dates or surgery; and
  • Other information.

Apparently such information has been stored on the online calendar since July of 2007. The password established for that calendar back in 2007 is the same password still in use today, according to the report. Given the somewhat transient nature of residents in medical facilities, it is probably a safe bet to say a fair number of people had access to the password over the years and potentially still know that password.

Once again, VA spokespeople used this incident to highlight their need for more IT tools  to build a more secure VA; cloud-based tools were highlighted in particular. VA doctors are supposed to use their secure network to store patient information. Even the most secure VA network depends on the users maintaining the security. In this situation, posting patient information online could not have been stopped by more state-of-the-art or more effective security tools.

If you are a disabled veteran who has been denied disability compensation or have not yet applied for benefits from the VA, contact LaVan & Neidenberg. You may be entitled to certain programs and benefits so contact our veterans disability rights firm today.

Once Again The VA Has Security Issues

Wednesday, November 24th, 2010

The Department of Veterans Affairs (VA) had, and still has, serious issues with their security. They have a history of stolen laptops, comprised social security numbers and personal identifications, and policies lacking clear focus. The last time this happened assurances were made that security policies would being tightened up, access to secure information would be limited, and new policies would be implemented to protect the VA and everyone associated with the VA. However, these policies only work when they are actually followed.

A claims examiner working for the VA plugged an unencrypted thumb drive into a computer attached to the VA network. The examiner was using the drive to store 240 veterans’ personal records, which, of course, included social security numbers. That examiner then went ahead and lost the drive. Another employee, in a separate incident, accessed veterans’ personal records, printed them out, and took them home. Both of these instances are clear violations of the VA’s policies.

VA Chief Information Officer Roger Baker detailed the two incidents to Congress this month during his data breach report. The results are obvious: security protocols implemented to protect personal information are being ignored.

The VA’s policies clearly ban any use of unencrypted thumb drives in any of their computers. The drive was found by a security guard, who took it home, showed it to his wife who recognized the information for what it was, and told him to return it. The thumb drive included personal information on veterans consisting of:

  • Names;
  • Medical records;
  • Financial records;
  • Dates of birth;
  • Addresses; and
  • Social security numbers.

The other employee who printed out veterans’ information did so in order to create a Word document from the list. This not only offended the common sense of almost all VA employees, it violated the VA’s privacy and security protocols. The employee then tried to email the Word document to his email address at the VA. The document was rejected because it included social security numbers.

The VA has strict rules, policies, and protocols to prevent information from being stolen. While there has not yet been any word about if these 2 particular VA employees have faced any disciplinary action, hopefully the VA can use these incidents as a teaching example to the rest of the 300,000 VA employees.

If you are a disabled veteran who has been denied disability compensation or have not yet applied for benefits from the VA, contact LaVan & Neidenberg. You may be entitled to certain programs and benefits so contact our veterans disability rights firm today.